Yoni Ramon, a cybersecurity expert and member of Cybrella’s advisory board recently uncovered a dangerous vulnerability in a leading NAS system.  The security flaw allowed full access to all data on the platform’s support portal, including sensitive information for numerous fortune 500 companies.

“It all started when I decided to poke at the NAS helpdesk widget which comes installed on many of the vendor’s NAS devices” said Yoni Ramon, a seasoned expert, long-time bounty hunter and security authority for IoT, cloud, and other architectures.  The vendor that makes the NAS platform investigated by Ramon is a world leader in network addressable storage devices. Their products are frequently used by organizations ranging from small SMBs to some of the world’s largest enterprises.  

“I had reported security vulnerabilities with this system in the past, including remote code execution, SQL injection, and authentication bypass issues. This time I thought I’d search for something different.” says Ramon.

Since the helpdesk application is written in PHP, which makes it fairly simple to investigate, Ramon started with that. “To my surprise, the first file I opened contained hardcoded API keys.” He reported.  

“The next logical thing to do was to test if the keys in the file were valid, and determine what permissions were associated with them. A quick google search and I found extensive documentation for the product’s API. It included the following information:

“The REST API does not require a staff user account to authenticate. The REST API authenticates to the helpdesk using an API key and a secret. By using the API key, your connecting application gains access to your helpdesk's data. This means that the REST API has no concept of staff, team, or department permissions.”

Surprisingly, the product’s own documentation confirmed that the hardcoded API keys would in fact allow Ramon full access to all the data stored in the application.

‍

Private and Personal Information Discovered

Ramon started testing the keys and data access by doing a ticket search request. He quickly discovered that indeed the API keys allowed him to search all the tickets stored on the application.  “The ticket IDs were all sequential and I was able to easily access any ticket and it’s data.” Said Ramon.  The data contained private and personal information especially useful to a hacker such as:

• Username
• Emails
• Ticket content
• Ticket attachment ID

The screenshot below provides just one example of sensitive information being returned by the QNAP system.  The hardcoded API key in the request (left side of the screenshot) has been obscured.  On the right side of the screenshot we see the system returning data in response to the request. Each field obscured by the highlighting contains sensitive data.

Screenshot – Personal andPrivate Information

“With access to emails, I was able to start searching for tickets associated with a specific email address or domain.” Says Ramon. “I wasn’t shocked to find tickets opened by fortune 500 companies. I even discovered unpatched vulnerability reports for many of the users of the NAS equipment.  Some of these reports even included the full exploit code within the ticket content. Many tickets also included attachments containing full tcp dumps and log files with lots of sensitive information. Needless to say, tcp dumps and log files are a goldmine when doing reconnaissance on a major company.  

Clearly, customers of the NAS products were using the Helpdesk support portal for more than just opening support tickets.

‍

QNAP Immediately Addresses Problem

After discovering the vulnerability, Ramon contacted QNAP and they immediately corrected the issue. “QNAP was very responsive and instantly took measures to protect their products and customers” he reported.

“It’s rewarding to see a company like QNAP react so quickly to a vulnerability” commented Alon Mantsur, CEO of Cybrella. “That’s not always the case.”  

‍

About Yoni Ramon

Mr. Ramon currently sits on Cybrella’s advisory board and provides in-depth security expertise to Cybrella and their customers. Mr. Ramon is a well-known security expert with experience across a wide variety of business applications and devices, specializing in secure network architecture, cloud environments, and mission-critical systems. He is the Red Team Manager, Staff Security Engineer, and Senior Information Security Engineer at perhaps the most innovative electric car company, where his responsibilities included penetration testing, code review, web application penetration testing, DDOS mitigation, and product security.

In 2013 Yoni was a team leader in the secure web applications division of 2BSecure.

‍

About Cybrella

Cybrella is a world leading cybersecurity consulting company.  HQ in Boston with an office in Tel-Aviv, Israel.

Cybrella provides consulting services for all aspects of modern cybersecurity requirements – Risk Management, fraud & AML, Cloud Security, Technology, etc., provided in two-service bundles: CISO as a Service and Application Security as a Service.

Cybrella's RedTeam operates with a world-class, highly trained, and certified penetration testing team, acting as Ethical hackers to simulate possible attacks from the hacker’s point of view.

‍

‍